OIG-10-A-09, Audit of NRC's Personnel Security Clearance ...

AUDIT REPORT

Audit of NRC’s Personnel Security Clearance Program for Employees

OIG-10-A-09 February 23, 2010

All publicly available OIG reports (including this report) are accessible through NRC’s Web site at:

http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/

UNITED STATES NUCLEAR REGULATORY COMMISSION

WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL

February 23, 2010 MEMORANDUM TO: R. William Borchardt Executive Director for Operations FROM: Stephen D. Dingbaum /RA/ Assistant Inspector General for Audits SUBJECT: AUDIT OF NRC’S PERSONNEL SECURITY CLEARANCE

PROGRAM FOR EMPLOYEES (OIG-10-A-09) Attached is the Office of the Inspector General’s (OIG) report, Audit of NRC’s Personnel Security Clearance Program for Employees. The report presents the results of the subject audit. Agency comments provided during and subsequent to a January 28, 2010, exit conference have been incorporated, as appropriate, into this report. Please provide information on actions taken or planned on each of the recommendations within 30 days of the date of this memorandum. Actions taken or planned are subject to OIG followup as stated in Management Directive 6.1. We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at 415-5915 or Beth Serepca, Team Leader, Security and Information Management Audit Team, at 415-5912. Attachment: As stated

Electronic Distribution Edwin M. Hackett, Executive Director, Advisory Committee on Reactor Safeguards E. Roy Hawkens, Chief Administrative Judge, Atomic Safety and Licensing Board Panel Stephen G. Burns, General Counsel Brooke D. Poole, Jr., Director, Office of Commission Appellate Adjudication James E. Dyer, Chief Financial Officer Margaret M. Doane, Director, Office of International Programs Rebecca L. Schmidt, Director, Office of Congressional Affairs Eliot B. Brenner, Director, Office of Public Affairs Annette Vietti-Cook, Secretary of the Commission R. William Borchardt, Executive Director for Operations Bruce S. Mallett, Deputy Executive Director for Reactor and Preparedness Programs, OEDO Martin J. Virgilio, Deputy Executive Director for Materials, Waste, Research, State, Tribal, and Compliance Programs, OEDO Darren B. Ash, Deputy Executive Director for Corporate Management and Chief Information Officer, OEDO Nader L. Mamish, Assistant for Operations, OEDO Kathryn O. Greene, Director, Office of Administration Patrick D. Howard, Director, Computer Security Officer Roy P. Zimmerman, Director, Office of Enforcement Charles L. Miller, Director, Office of Federal and State Materials and Environmental Management Programs Cheryl A. McCrary, Director, Office of Investigations Thomas M. Boyce, Director, Office of Information Services James F. McDermott, Director, Office of Human Resources Michael R. Johnson, Director, Office of New Reactors Michael F. Weber, Director, Office of Nuclear Material Safety and Safeguards Eric J. Leeds, Director, Office of Nuclear Reactor Regulation Brian W. Sheron, Director, Office of Nuclear Regulatory Research Corenthis B. Kelley, Director, Office of Small Business and Civil Rights James T. Wiggins, Director, Office of Nuclear Security and Incident Response Samuel J. Collins, Regional Administrator, Region I Luis A. Reyes, Regional Administrator, Region II Mark A. Satorius, Regional Administrator, Region III Elmo E. Collins, Jr., Regional Administrator, Region IV


i

EXECUTIVE SUMMARY

BACKGROUND

The Nuclear Regulatory Commission’s (NRC) personnel security clearance program strives to implement measures to ensure that agency staff can be trusted to work with and protect classified information and to prevent the hiring of employees who might be untrustworthy or unsuitable for Federal employment. At NRC, the Personnel Security Branch (PSB) administers the personnel security clearance program. PSB staff report to the Division of Facilities and Security (DFS), which is part of the Office of Administration (ADM). The Atomic Energy Act of 1954, as amended, requires all NRC employees to have a security clearance, but allows employees to begin working for NRC prior to their clearance — provided the Commission determines that such employment is in the national interest and the employee does not have access to classified information. Today, a significant number of new NRC employees are permitted to begin work prior to receiving a security clearance, but only after PSB conducts a review of the individual’s background information as reported by the individual, credit history, and criminal history; evaluates the results; and determines there are no factors that may constitute a security risk to the agency. This approval is referred to as a pre-appointment investigation waiver or a 145b waiver. After NRC grants an initial approval to begin work (with no access to classified information), the agency requests a full background investigation from the Office of Personnel Management (OPM). Once the OPM background investigation is returned to NRC, PSB staff adjudicate the results by reviewing the investigation report. The adjudicative process is an examination of a sufficient period of a person's life to make a determination to grant or deny a security clearance. In 2005, as a result of a substantial increase in hiring, ADM shifted its resources toward completing its own pre-appointment investigation and processing of 145b waivers. This resource realignment was effected to support the agency’s higher priority to complete ongoing hiring initiatives in a timely manner. For the period FY 2005 through FY 2008, background investigations increased from 925 to 1,593, or approximately 72 percent. As a result of this shift in resources, a considerable backlog of cases requiring adjudication developed after receipt of OPM closed background investigations. DFS management stated that this backlog, consisting primarily of contractor and licensee clearance requests, was 1,121 cases in January 2009. Management also asserted that the backlog has been reduced in the last 12 months to 350 cases.


ii

PURPOSE

The purpose of this audit was to determine whether (1) NRC is in compliance with external and internal personnel security clearance requirements, and (2) NRC’s personnel security clearance program is efficiently managed.

RESULTS IN BRIEF

Although it is NRC’s policy to ensure that personnel security determinations are made in accordance with external and internal requirements, NRC is not fully in compliance with established timeliness requirements for processing personnel security clearances. Furthermore, NRC’s personnel security clearance program lacks sufficient management controls and oversight to measure the program’s efficiency and assign accountability for the program’s performance. Timeliness Requirements Not Met The Intelligence Reform and Terrorism Prevention Act of 2004 provides timeliness requirements for processing Federal personnel security clearance investigations. NRC has not fully met the adjudication and reinvestigation timeliness requirements because DFS management has not implemented a procedure to routinely monitor and follow up on all case files to ensure cases are processed timely. Additionally, management lacks useful and reliable reports to track the status of clearance investigations through the various stages of the investigative process. Delays in completing initial investigations may hinder agency productivity, while delays in completing reinvestigations can lead to increased security risks. Agency Lacks Personnel Security Performance Measures Federal control standards require the establishment and review of performance measures and indicators. At the start of this audit, NRC lacked performance measures to assess the efficiency of NRC’s personnel security clearance program. In response to a 2004 Office of the Inspector General (OIG) audit report recommendation, DFS added a timeliness performance measure to the FY 2005 ADM Operating Plan for the processing of personnel security investigations. In FY 2006, deeming the timeliness performance measure unattainable, management removed the measure from the plan. Without performance measures, the agency’s ability to assess personnel security clearance program efficiency and assign accountability for the program performance is limited.


iii

RECOMMENDATIONS

A draft report initially made five recommendations to improve the agency’s

personnel security clearance program for employees. Prior to the issuance of this final report the agency implemented two of the recommended measures. Therefore, OIG removed the two recommendations that were already addressed, and this report makes three recommendations. A consolidated list of these recommendations appears in Section V of this report.

AGENCY COMMENTS Prior to and subsequent to a January 28, 2010, exit conference, agency senior executives provided suggested revisions to the discussion draft report for OIG’s consideration. This final report incorporates revisions made, where appropriate, as a result of the agency’s suggestions.


iv

[Page intentionally left blank.]


v

ABBREVIATIONS AND ACRONYMS

ADM Office of Administration

DFS Division of Facilities and Security

IRTPA The Intelligence Reform and Terrorism Prevention Act of 2004

NRC Nuclear Regulatory Commission

OIG Office of the Inspector General

OPM Office of Personnel Management

PSB Personnel Security Branch


vi



vii

TABLE OF CONTENTS

EXECUTIVE SUMMARY.............................................................................. i

ABBREVIATIONS AND ACRONYMS ......................................................... v

I. BACKGROUND .................................................................................. 1

II. PURPOSE........................................................................................... 4

III. FINDINGS........................................................................................... 5

A. TIMELINESS REQUIREMENTS NOT MET............................................ 5

B. AGENCY LACKS PERSONNEL SECURITY PERFORMANCE MEASURES .......................................................... 11

IV. AGENCY COMMENTS ..................................................................... 13 V. CONSOLIDATED LIST OF RECOMMENDATIONS ......................... 14

APPENDIX

SCOPE AND METHODOLOGY................................................................ 15


viii



1

I. BACKGROUND Federal personnel security programs are designed to protect U.S. national security interests by ensuring the reliability and trustworthiness of all Government employees. All Government employees must undergo a background investigation to work for the Federal Government. The type of investigation required depends on the type of work the individual will perform. When work requires access to classified information, a favorable adjudication of an appropriate investigation of the employee’s background, a demonstrated need-to-know, and a signed nondisclosure agreement are required. The Nuclear Regulatory Commission’s (NRC) personnel security clearance program strives to implement measures to ensure that agency staff can be trusted to work with and protect classified information and to prevent the hiring of employees who might be untrustworthy or unsuitable for Federal employment. At NRC, the Personnel Security Branch (PSB) administers the personnel security clearance program. PSB staff report to the Division of Facilities and Security (DFS), which is part of the Office of Administration (ADM).

Atomic Energy Act and Section 145b The Atomic Energy Act of 1954, as amended, requires all NRC employees to have a security clearance, but allows employees to begin working for NRC prior to their clearance — provided the Commission determines that such employment is in the national interest and the employee does not have access to classified information. Today, a significant number of new NRC employees are permitted to begin work prior to receiving a security clearance, but only after PSB conducts a review of the individual’s background information as reported by the individual, credit history, and criminal history; evaluates the results; and determines there are no factors that may constitute a security risk to the agency. This approval is referred to as a pre-appointment investigation waiver or a 145b waiver.1

1 The term “145b waiver” refers to section 145b of the Atomic Energy Act of 1954, as amended, which provides NRC the authority to grant a pre-appointment investigation waiver.


2

NRC’s Personnel Security Clearance Program After NRC grants an initial approval to begin work (with no access to classified information), the agency requests a full background investigation, appropriate for either an “L” (secret), “L(H)” (high public trust),2 or “Q” (top secret) clearance, from the Office of Personnel Management (OPM).3 Once the OPM background investigation is returned to NRC, PSB staff adjudicate the results by reviewing the investigation report. The adjudicative process is an examination of a sufficient period of a person's life to make a determination to grant or deny a security clearance. Adjudicative guidelines provide the PSB staff members with specific criteria to aid in the determination process. NRC maintains employee personnel security information, such as background investigations, credit checks, and fingerprint checks, in paper files. When the files are not in use, PSB stores them in a secure, alarmed, file room (see Figures 1 and 2, below). An automated data system, referred to as the Integrated Personnel Security System, is also used to electronically store personnel security information, such as type of clearance and date of last investigation.

Figure 1. File Room Entrance Secured Figure 2. PSB File Room

2 The L(H) designation is used for employees (e.g., resident inspectors) who do not require a Q clearance because they do not work with Secret Restricted Data or Top Secret Restricted Data or Top Secret National Security Information. Individuals designated as L(H) are initially investigated with a Background Investigation, which is less extensive than the Single Scope Background Investigation required for a Q level clearance. These individuals are then reinvestigated at the L level, but more frequently than those with regular L clearances. 3 In lieu of an OPM investigation and report, NRC may accept an investigation from another Federal Government department or agency that conducts personnel security investigations (current within the most recent 5 years), provided that an equivalent investigation and access authorization has been granted to the individual by another Government agency on the basis of such an investigation and report. This acceptance of a pre-existing equivalent investigation is referred to as “reciprocity.”


3

In 2005, as a result of a substantial increase in hiring, ADM shifted its resources toward completing its own pre-appointment investigation and processing of 145b waivers. This resource re-alignment was effected to support the agency’s higher priority to complete ongoing hiring initiatives in a timely manner. For the period FY 2005 through FY 2008, background investigations increased from 925 to 1,593, or approximately 72 percent. As a result of this shift in resources, a considerable backlog of cases requiring adjudication developed after receipt of OPM closed background investigations. DFS management stated that this backlog, consisting primarily of contractor and licensee clearance requests, was 1,121 cases in January 2009. Management also asserted that the backlog has been reduced in the last 12 months to 350 cases.

Types of Clearances Issued

As of November 2009, 28 NRC employees were working under pre-appointment investigation waivers, 1,038 employees had Q clearances, 3,046 had L clearances, and 177 were designated as L(H) (see Figure 3). Figure 3

NRC Employees by Clearance Category as of November 2009

1,038

177

3,046

28

"Q" Top Secret "L(H)" High Public Trust "L" Secret Pre-Appointment

Source: OIG-generated based on data obtained from PSB Resources Allocated The PSB staff currently consists of 9 NRC employees (8 Personnel Security Specialists and 1 Senior Personnel Security Specialist) who adjudicate cases and 7 contract staff who perform administrative duties. During this audit, the PSB Branch Chief was promoted to the position of Deputy Director,


4

Division of Administrative Services. A Senior Personnel Security Specialist was serving as the Acting PSB Branch Chief while a search to fill the Branch Chief position was underway. On December 20, 2009, the Branch Chief position was filled. During FY 2009, NRC obligated $1.73 million for the Personnel Security Program and on background investigations of employees, contractors, and licensees.4

II. PURPOSE

The audit objectives were to determine whether (1) NRC is in compliance with external and internal personnel security clearance requirements, and (2) NRC’s personnel security clearance program is efficiently managed. See the report appendix for a description of the audit scope and methodology.

4 PSB processes clearance investigations for NRC employees, contractors, and licensees. This audit focuses primarily on the clearance investigation process for NRC employees, although implementation of recommendations in this report should also improve contractor and licensee clearance processing. In some cases, NRC employee data cannot be separated from contractor and licensee data in OPM reporting obtained. Exceptions of this nature are noted, as necessary, in this report.


5

III. FINDINGS

Although it is NRC’s policy to ensure that personnel security determinations are made in accordance with external and internal requirements, NRC is not fully in compliance with established timeliness requirements for processing personnel security clearances. Furthermore, NRC’s personnel security clearance program lacks sufficient management controls and oversight to measure the program’s efficiency and assign accountability for the program’s performance.

A. Timeliness Requirements Not Met

The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) provides timeliness requirements for processing Federal personnel security clearance investigations. NRC has not fully met the adjudication and reinvestigation timeliness requirements because DFS management has not implemented a procedure to routinely monitor and follow up on all case files to ensure cases are processed timely. Additionally, management lacks useful and reliable reports to track the status of clearance investigations through the various stages of the investigative process. Delays in completing initial investigations may hinder agency productivity, while delays in completing reinvestigations can lead to increased security risks. Timeliness Requirements

IRTPA timeliness requirements address both adjudication of clearance investigations and initiation of reinvestigations. Adjudicative Timeliness The IRTPA requires that agencies make a determination on at least 80 percent of all applications for a personnel security clearance within an average of 120 days after the application for a security clearance is received by an authorized investigative agency (e.g., OPM).5 This 120-day-average requirement allows 90 days for completing the investigative phase of the clearance review and 30 days for completing the adjudicative phase of the

5 This “fastest 80 percent” requirement was put in place to provide a more realistic portrayal of agency performance. Delays for the 20 percent of cases that are not reported are typically due to the presence of serious issues that require further, extensive investigation or the absence of a required third party record. Inclusion of these cases would upwardly skew timeliness reporting.


6

clearance review.6 This audit focused on NRC’s adjudicative timeliness, as investigative timeliness falls under OPM jurisdiction and is therefore outside of NRC’s control. Reinvestigation Timeliness The IRTPA also requires that NRC initiate a reinvestigation every 5 years for Q and every 10 years for L clearances.7 Employees may also be reinvestigated if, at any time, there is reason to believe they no longer meet the standards for access to classified information. Investigation and Reinvestigation Timeliness Requirements Not Met NRC is not in compliance with respect to meeting established timeliness requirements for processing personnel security clearances. Specifically, NRC has not met IRTPA timeliness requirements for (1) adjudication of clearance investigations or (2) initiation of clearance reinvestigations. Adjudicative Timeliness NRC was not in compliance with IRTPA adjudication timeliness requirements. Review of an OPM "Adjudication Timeliness Report" confirms that current IRTPA requirements have not been met for the first three quarters of FY 2009 (see Figure 4, next page).8

6 In December 2009, IRTPA requirements changed to a 60-day-average period requirement. This new requirement allows 40 days to complete the investigative phase of the clearance review and 20 days to complete the adjudicative phase of the clearance review on at least 90 percent of all applications for a personnel security clearance. 7 NRC’s L(H) designation is unique to NRC; therefore, it is not addressed by the IRTPA. However, NRC Management Directive 12.3, NRC Personnel Security Program, requires L(H) reinvestigations be conducted every 5 years. Management Directive 12.3 also reaffirms the reinvestigation timeliness requirements found in the IRTPA for Q and L clearances. 8 OPM’s report combines timeliness results for NRC employees, contractors, and licensees. These combined results are reflected in Figure 4.


7

Figure 4

Adjudication Timeliness, Fastest 80 Percent October 1, 2008 through June 30, 2009

N=978

0

100

200

300

400

0-30 31-60 61-90 91-120 121-150 151-180 181-365

Days to Complete

Source: OIG-generated based on data obtained from OPM

OIG’s review also revealed that one employee was granted a 145b waiver and has been working at NRC since April 2005 without having the initial investigation adjudicated due to significant security issues. Furthermore, PSB staff did not take any adjudicative action for more than a year after the OPM investigation was completed on three employees’ investigative files. In one case, an OPM investigation of an NRC employee was completed in June of 2007 and the case was assigned to a Personnel Security Specialist. Because the results contained classified information from the Federal Bureau of Investigation with regard to issues of foreign influence, PSB staff secured the file in a safe. However, the file remained in the safe, untouched, until it was discovered in July of 2009 and reassigned to a different Personnel Security Specialist. As of November 2009, clearances have been granted for two of the four NRC examples identified above. Reinvestigation Timeliness OIG identified 161 NRC employees whose reinvestigations were more than 1 year past due. In one case, a Branch Chief’s last investigation for an L clearance (required every 10 years) was completed more than 13 years ago, in May of 1996. Of the 161 past due reinvestigations, 43 were for reinvestigations of NRC employees with Q clearances.

62 percent of adjudications occurred outside of the 30-day IRTPA requirement


8

Reinvestigations more than 1 year past due by clearance type are depicted in Figure 5. Figure 5

Reinvestigations > 1 Year Past Due by Clearance Type as of September 2009

43

32

86

Q - Top Secret

L(H) - High Public Trust

L - Secret

Source: OIG-generated based on data obtained from PSB

Lack of Management Oversight PSB is not meeting adjudication or reinvestigation timeliness requirements because management lacks useful and reliable reports to track the status of clearance investigations through the various stages of the investigative process. Additionally, management has not implemented procedures to routinely monitor and follow up on all case files to make sure cases are handled expeditiously. During the course of this audit, OIG conveyed this finding to PSB management who subsequently implemented an internal procedure to monitor cases as of December 2009. OIG verified this and removed the draft report recommendation to develop and implement a written procedure to routinely monitor and follow up on all personnel security case files. Useful Routine Reporting Limited Currently, there is no complete report that shows when adjudications or reinvestigations are overdue. Additionally, limited useful personnel security reports further restricts PSB’s ability to track clearance investigations and reinvestigations. The Integrated Personnel Security System contains 11 predefined adjudication reports, but only one, which lists all 145b applicants in a pending or active status, can be used to help PSB assess whether it is completing adjudications in a timely manner. PSB is also unable to track an investigation


9

from the time it is sent to OPM until it is returned from OPM and the clearance granted. Furthermore, for almost 2 years, a report intended to notify staff of upcoming employee reinvestigations has not been operating as intended. The report, titled “Notifications,” is supposed to list individuals requiring reinvestigations. However, the report is inaccurate because it includes employees who have already been reinvestigated, and individuals who no longer work for NRC. Lack of reliable data forces staff to go through the report manually and decide which individuals actually require a reinvestigation before they can initiate the process. The “Notifications” report has reportedly been upgraded during the course of this audit to allow the removal of persons having an investigation started or completed. DFS staff are in the process of verifying whether the upgraded report is now operating as intended. No Routine Monitoring Interviews with management and staff confirmed that there is no routine monitoring or assessment of the status of individual personnel security clearance case files to ensure that cases returned from OPM are adjudicated in a timely manner. Instead, it is up to staff to track the status of the cases they are adjudicating on individually maintained spreadsheets. PSB staff acknowledged that investigations sometimes "fall through the cracks" and reported that they learn of these instances only when someone calls to check on the status of a clearance that has taken too long. Productivity Concerns and Security Risks Delays in completing initial investigations hinder agency productivity, while delays in completing reinvestigations can lead to increased security risks. Agency Productivity Hindered Many jobs at NRC require that employees have a clearance to enable them access to classified information to perform their jobs. Access to classified information requires a clearance equal to or higher than the level of information to be accessed, and a need-to-know. Employees with a 145b waiver cannot access classified information while awaiting clearance approval, which hinders productivity by limiting the duties that the


10

employee can perform. This is exacerbated by an untimely adjudicative process. Increased Security Risks NRC’s risk of a security breach occurring is increased because of delays in completing employee reinvestigations. The Joint Security Commission9 reported that delaying reinvestigations poses risks to national security because the longer individuals hold clearances, the more likely they are to be working with more critical information and systems. Also, the longer a reinvestigation is delayed, the greater the risk that changes in an individual's behavior will go undetected. Recommendation:

OIG recommends that the Executive Director for Operations: 1. Develop routine reports that provide management with the

appropriate data needed to monitor and follow up on the status of all personnel security case files.

9 The Joint Security Commission was established in May 1993 by the Secretary of Defense and the Director of Central Intelligence to review security policies and procedures. It was convened twice and issued reports on its work in 1994 and 1999.


11

B. Agency Lacks Personnel Security Performance Measures

Federal control standards require the establishment and review of performance measures and indicators. At the start of this audit, NRC lacked performance measures to assess the efficiency of NRC’s personnel security clearance program. In response to a 2004 Office of the Inspector General (OIG) audit report recommendation, DFS added a timeliness performance measure to the FY 2005 ADM Operating Plan for the processing of personnel security investigations. In FY 2006, deeming the timeliness performance measure unattainable, management removed the measure from the plan. Without performance measures, the agency’s ability to assess personnel security clearance program efficiency and assign accountability for the program performance is limited. Requirement for Performance Measures Performance measurement is achieved through the ongoing monitoring and reporting of program accomplishments, particularly progress towards pre-established goals. Performance assessments are used to analyze performance and seek improvements in efficiency and effectiveness. Federal standards require agencies to establish and monitor performance measures and indicators. Performance Measures Inadequate At the start of this audit, the ADM Operating Plan lacked performance measures to monitor the efficiency of the personnel security clearance program. A timeliness performance measure for the processing of personnel security investigations, once included in the ADM Operating Plan, was removed. Additionally, during this audit OIG reviewed the Performance Elements and Standards for the positions of Deputy Director, DFS and Branch Chief, PSB. Each of the documents reviewed contained a “Timeliness and Quality” standard that is dependent on meeting milestones and schedules provided in the ADM Operating Plan. OIG's review found that the ADM Operating Plan contained no security clearance processing timeliness measures. Lack of Management Oversight As a result of Audit Report OIG-04-A-11, Review of NRC's Personnel Security Program, ADM complied with an OIG recommendation and established a performance measure to


12

assess the timeliness of NRC's reinvestigation program in its FY 2005 Operating Plan. The timeliness performance measure was subsequently deemed unattainable by DFS management and therefore was removed from its FY 2006 Operating Plan. A manager no longer assigned to DFS stated that NRC hiring increases had placed an increased demand on DFS, which had been unable to increase adjudicative staff to appropriately handle this increase in workload.10 During the course of this audit, OIG conveyed this finding to DFS management and, subsequently, performance measures were added to the ADM Operating Plan for FY 2010. OIG verified this and removed the draft report recommendation to include a performance measure in the ADM Operating Plan to measure the timeliness of the security clearance process. Without Performance Measures, NRC Cannot Assess Efficiency The ability to assess personnel security clearance program efficiency and assign accountability for program performance is limited without performance measures. Performance measures are key indicators that can be used by management to assess the effectiveness of the program and determine where issues can be identified and resolved. Without performance measures, management cannot establish goals and measures to determine and improve program efficiency and effectiveness. Recommendations: OIG recommends that the Executive Director for Operations: 2. Include a performance measure in the Performance

Elements and Standards for Branch Chief, Personnel Security Branch, to measure the timeliness of the security clearance process.

3. Include a performance measure in the Performance

Elements and Standards for Deputy Director, Division of Facilities and Security, to measure the adequacy and timeliness of work products from the Personnel Security Branch.

10 Between FY 2006 and FY 2009, NRC hired 2,169 employees, resulting in a net increase of 578 full-time equivalent staff.


13

IV. AGENCY COMMENTS

Prior to and subsequent to a January 28, 2010, exit conference, agency senior executives provided suggested revisions to the discussion draft report for OIG’s consideration. This final report incorporates revisions made, where appropriate, as a result of the agency’s suggestions.


14

V. CONSOLIDATED LIST OF RECOMMENDATIONS

OIG recommends that the Executive Director for Operations:

1. Develop routine reports that provide management with the appropriate data needed to monitor and follow up on the status of all personnel security case files.

2. Include a performance measure in the Performance Elements and Standards for Branch Chief, Personnel Security Branch, to measure the timeliness of the security clearance process.

3. Include a performance measure in the Performance Elements and Standards for Deputy Director, Division of Facilities and Security, to measure the adequacy and timeliness of work products from the Personnel Security Branch.


15

Appendix

SCOPE AND METHODOLOGY

The audit objectives were to determine whether (1) NRC is in compliance with external and internal personnel security clearance requirements, and (2) NRC’s personnel security clearance program is efficiently managed. To accomplish the audit objectives, OIG obtained and analyzed pertinent laws, regulations, and authoritative guidance; NRC policies and procedures; and prior relevant NRC OIG reports to identify Federal and agency requirements relevant to the personnel security clearance program. Guidance reviewed included the following: The Intelligence Reform and Terrorism Prevention Act of

2004.

Executive Order No. 12968, Access to Classified Information.

Revised Federal Investigative Standards.

Government Accountability Office Standards for Internal Control in the Federal Government.

Additionally, OIG reviewed investigation case files, security system reports, human resource documents, and internal communications and conducted interviews with previous and current staff to:

Gain an understanding of NRC’s personnel security

clearance program.

Determine current issues, problems, and known deficiencies.

Assess internal controls.

Internal controls related to the audit objective were reviewed and analyzed. Throughout the audit, auditors were aware of the possibility or existence of fraud, waste, or misuse in the program.

The work was conducted from June to October 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform


16

the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

The work was conducted by Beth Serepca, Team Leader; Terri Cooper, Audit Manager; Maxine Lorette, Senior Auditor; and Robert Woodward, Senior Auditor. We performed the audit work at NRC headquarters in Rockville, Maryland.

OIG-10-A-09, Audit of NRC's Personnel Security Clearance ...

Documents

Transcript of OIG-10-A-09, Audit of NRC's Personnel Security Clearance ...